CVSS: 7.5EPSS: %CPEs: 1EXPL: 0CVE-2024-51818 – Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-51818
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2024-51919 – Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-51919
03 Jan 2025 — The Fancy Product Designer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.4.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0905 – Fancy Product Designer < 6.1.8 - Reflected Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-0905
26 Apr 2024 — The Fancy Product Designer WordPress plugin before 6.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users El complemento Fancy Product Designer de WordPress anterior a 6.1.8 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un Cross-Site Scripting Reflejado que podría usarse contra usuarios no autenticados y de nivel administrador. The F... • https://wpscan.com/vulnerability/3b9eba0d-29aa-47e4-b17f-4cf4bbf8b690 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0904 – Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-0904
15 Apr 2024 — The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Fancy Product Designer de WordPress anterior a 6.1.81 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realiza... • https://wpscan.com/vulnerability/baf4afc9-c20e-47d6-a798-75e15652d1e3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0902 – Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting via Product Title
https://notcve.org/view.php?id=CVE-2024-0902
25 Mar 2024 — The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Fancy Product Designer de WordPress anterior a 6.1.81 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realiza... • https://wpscan.com/vulnerability/fd53e40a-516b-47b9-b495-321774432367 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0365 – Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2024-0365
20 Feb 2024 — The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators. El complemento Fancy Product Designer de WordPress anterior a 6.1.5 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por los administradores. The Fancy Product Designer plugin for WordPress is vulnerable to SQL Injection in al... • https://wpscan.com/vulnerability/4b8b9638-d52a-40bc-b298-ae1c74788c18 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4334 – Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options
https://notcve.org/view.php?id=CVE-2021-4334
05 Apr 2023 — The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation. El complemento Fancy Product Designer para WordPress es vulnerable a modificaciones no autorizad... • https://support.fancyproductdesigner.com/support/discussions/topics/13000029981 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4335 – Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions
https://notcve.org/view.php?id=CVE-2021-4335
05 Apr 2023 — The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account. El... • https://support.fancyproductdesigner.com/support/discussions/topics/13000029981 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4096 – Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-4096
14 Apr 2022 — The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. El plugin Fancy Product Designer para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery por medio de la clase FPD_Admin_Import que hace posible que atacantes suban archivos maliciosos que podrían ser usados pa... • https://support.fancyproductdesigner.com/support/discussions/topics/13000031615 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4134 – Fancy Product Designer <= 4.7.4 Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-4134
08 Feb 2022 — The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4. El plugin Fancy Product Designer de WordPress es vulnerable a la inyección SQL debido a un escape y parametrización insuficientes del parámetro ID que se encue... • https://support.fancyproductdesigner.com/support/discussions/topics/13000031264 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •